4
Existing Anti-Rootkit Tools Signature-Based Only works with known rootkits Behavior-Based – Calculate time and instructions spent on system queries Unusually high count indicates the O/S is manipulating response Too many false positives Cross-level system view – Query system in high and low level E.g., compare ps response against scheduler lists The compromised O/S can manipulate all levels 4

24
Security Hole #3 Security 101 – Encryption: to keep something secret, private – Signing: to make something unmodifiable, tamper-evident and bind message pieces together BAD idea to use one for the other – Creates illusion of protection Why encrypt the page table? – O/S already knows it, so why keep it a secret? – Signing is necessary, encryption is useless – Paper based on assumption that any tampering will result in meaningless page table 24

26
Security Hole #3 (cont) What they intended to say – The entry for virtual address V, for process PID, at level lvl, is physical P (next level pointer or data location) How it should have been written – P, σ Κ (P, V, PID, lvl) (σ = signature) – Bind each page table entry with where it should be located What was actually written – Some entries are secret; I won’t tell you Though you can ask me …And you already know 26

27
Security Hole #4 The virtual memory system is used as a fence – (theoretically) tamper-evident page table O/S can simply bypass the VMM – Issue writes to physical address directly – O/S can purge malicious pages prior to auditing Similar to cleaner-app, but without any trace 27

28
Security Vulnerability #1 Stealth checker employs upgradeable firmware Rootkit that is stored in disk can upgrade firmware – System reboot will not clean system – (Beyond the scope of this paper) Compromised O/S may compromise firmware – Enjoy the CPU spying on you – Impossible to detect 28

30
Conclusion Rootkits are a growing concern Hardware monitoring is a good idea for protection – Malware cannot cheat hardware that easily – Good idea for rootkits also: BIOS rootkit in the works Paper’s implementation does more harm than good – Broken Algorithm: signing of each page table level is needed But O/S can bypass virtual memory manager Cleaner-app is also a problem LBA should target O/S protection 30